New EDPB draft Guidance for international data transfers

On 11 November 2020, the European Data Protection Board (EDPB) published Supplementary Transfer Measures Recommendations and European Essential Guarantees Recommendations.

Background

The Schrems II decision of the Court of Justice of the European Union (CJEU) earlier this year revealed grey areas regarding international transfers of personal data.

Regarding this decision, see our Lexing Network Privacy and Data Protection team’s summary here.

In a nutshell, the CJEU:

• invalidated the EU-U.S. Privacy Shield Frameworks;
• decided that international transfers based on SCCs mechanism remain valid; but
• added that the data exporter’s relying on SCCs must perform a case-by-case analysis to verify if the law of the data importer’ country ensures a level of protection of the transferred personal data that is essentially equivalent to that guaranteed in the EEA. If not, additional measures must be taken.

According to the EDPB, whether or not data controllers can transfer personal data on the basis of SCCs will depend on the result of such an assessment, taking into account the circumstances of the transfers, and « supplementary measures » that could be implemented.

This decision created uncertainty, since it notably raised the question of which supplementary measures can be sufficient to guarantee the legality of an international data transfer.

Therefore, following this decision, the EDPB published a set of recommendations:

• Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data; and
• Recommendations 02/2020 on the European Essential Guarantees for surveillance measures

Supplementary Transfer Measures Recommendations

The Recommendations provide a six-step roadmap to help data exporters with the complex task of assessing data transfers to third countries (i.e. non-EEA countries) and identifying appropriate supplementary measures where needed.

The key points of this roadmap are as follows:

Step 1. Know your data transfers

Identify and map all personal data transfers to third countries (including any onward transfers) and ensure such transfers comply with the GDPR principle of data minimisation.

Remote access from a third country (e.g. for support services) and/ or use of cloud-based solutions located outside the EEA are also considered to be a transfer.

Step 2. Identify the transfer tools you are relying on

Identify the appropriate data transfer mechanism amongst those listed in Chapter V GDPR, i.e. :

– Adequacy decision (article 45);
– Appropriate safeguards, such as SCCs, BCRs, codes of conduct, etc. (article 46); or
– Derogations (article 49).

If the transfer is based on an adequacy decision or meets the strict conditions for a derogation, no further requirements.

If the data transfer is based on appropriate safeguards, continue to step 3.

Step 3. Assess the effectiveness of the Article 46 GDPR transfer tool you are relying in the context of your specific data transfer

Assess (with the support of the importer where appropriate) whether the laws or practices of the third country may prevent the personal data transferred from being afforded an essentially equivalent level of protection as under the GDPR.

Particular attention should be paid when domestic legislations lay down requirements to disclose personal data to public authorities or granting such public authorities powers of access to personal data (e.g. under U.S. law, not. with Section 702 of FISA and E.O. 12333). See Recommendations for EEGs below.

Step 4. Identify and adopt supplementary measures

If the third country’s laws or practices does not provide an essentially equivalent level of protection to the EU (e.g. if Section 702 of FISA and/ or E.O. 12333 applies, for E.U.-US transfers), identify and adopt effective supplementary measures (to the safeguards already provided for by article 46) that will ensure such protection.

Annex 2 of the Recommendations provides for a non-exhaustive list of technical (e.g. pseudonymisation or encryption), contractual (e.g. transparency obligations) and organisational (e.g. internal policies) supplementary measures. It also provides for scenarios for which effective measures could be found, or not. Please read our next news related to these supplementary measures and the new draft set of SCCs adopted by the European Commission.

If no appropriate supplementary measure can be adopted, you must avoid, suspend or terminate the data transfer.

Step 5. Procedural steps if you have identified effective supplementary measures

Take the necessary procedural steps for the implementation of the identified supplementary measures. Specific consultation with the relevant data protection supervisory authority may be required depending on the appropriate safeguards you are relying on.

Step 6. Re-evaluate at appropriate intervals

Periodically re-evaluate whether the protection granted to transferred personal data has changed due to the adoption of new legislation in the third country. No precise indication is given about the frequency of reassessment.

European Essential Guarantees Recommendations

The Recommendations update the European Essential Guarantees (EEGs) drafted by the Article 29 Working Party in response to the Schrems I judgment. Their aim is to provide further guidance in assessing whether the surveillance measures of the importer’s country allowing access to personal data by public authorities (i.e. national security agencies or law enforcement authorities) can be considered as a justifiable interference or not.

Within the framework of this interference assessment, four EEGs should be addressed:

• Processing shoud be based on clear, precise and accessible rules
• Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
• An independent oversight mechanism should exist
• Effective remedies need to be available to the individual